Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).
****************************************************************************************** ****************************************************************************************** No Hidden Kernel Modules found
****************************************************************************************** ****************************************************************************************** No SSDT Hooks found
****************************************************************************************** ****************************************************************************************** No Kernel Hooks found
****************************************************************************************** ****************************************************************************************** No hidden files/folders found
[code] OTS logfile created on: 4/22/2010 10:10:40 PM - Run 1 OTS by OldTimer - Version 3.1.29.0 Folder = C:\Users\Stephanie\Downloads 64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18882) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 48.00% Memory free 8.00 Gb Paging File | 6.00 Gb Available in Paging File | 74.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 284.39 Gb Total Space | 27.88 Gb Free Space | 9.80% Space Free | Partition Type: NTFS Drive D: | 13.70 Gb Total Space | 2.10 Gb Free Space | 15.32% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded
Computer Name: STEPHANIE-PC Current User Name: Stephanie Logged in as Administrator.
Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: On Skip Microsoft Files: Off File Age = 90 Days
{A85FD55B-891B-4314-97A5-EA96C0BD80B5} -> Windows Live Messenger {AC76BA86-7AD7-1033-7B44-A93000000001} -> Adobe Reader 9.3.2 {AC76BA86-7AD7-2448-0000-900000000003} -> Chinese Traditional Fonts Support For Adobe Reader 9 {B2EE25B9-5B00-4ACF-94F0-92433C28C39E} -> HP MediaSmart Music/Photo/Video {B7050CBDB2504B34BC2A9CA0A692CC29} -> DivX Plus Web Player {B98BE95C-E76F-4246-B8E6-BEB8EE791D06} -> Roxio Media Manager {BBF6D0CD-A081-369F-B0B8-F168594CBB6B} -> Google Talk Plugin {C4124E95-5061-4776-8D5D-E3D931C778E1} -> Microsoft VC9 runtime libraries {C4CF43CE-94AE-498E-9EB1-C804E05CB3CA} -> HP User Guides 0125 {C59C179C-668D-49A9-B6EA-0121CCFC1243} -> LabelPrint {CB099890-1D5F-11D5-9EA9-0050BAE317E1} -> PowerDirector {CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF} -> HP Active Support Library {DCCAD079-F92C-44DA-B258-624FC6517A5A} -> HP MediaSmart DVD {E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001} -> IDT Audio {E5E29403-3D25-40C6-892B-F9FEE2A95585} -> HP Wireless Assistant {E8020EC7-5DD8-80C9-7237-7B2E9BDA8CC6} -> muvee Reveal {ECEE0279-785F-4CB3-9F28-E69813234BF8} -> SPORE Creature Creator Trial Edition {F0E12BBA-AD66-4022-A453-A1C8A0C4D570} -> Microsoft Choice Guard {F6BD194C-4190-4D73-B1B1-C48C99921BFE} -> Windows Live Call {FC053571-8507-44E4-8B6D-AACEAB8CA57C} -> Sansa Media Converter Activation Assistant for the 2007 Microsoft Office suites -> Activation Assistant for the 2007 Microsoft Office suites Adobe AIR -> Adobe AIR Adobe Flash Player ActiveX -> Adobe Flash Player 10 ActiveX Adobe Flash Player Plugin -> Adobe Flash Player 10 Plugin AIM_6 -> AIM 6 Any Video Converter Professional_is1 -> Any Video Converter Professional 3.0.3 Aura Video Converter_is1 -> Aura Video Converter 1.2.1 BlackBerry_{205A5182-EFC8-4C25-B61D-C164F8FF4048} -> BlackBerry Desktop Software 5.0.1 com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 -> Acrobat.com ENTERPRISE -> Microsoft Office Enterprise 2007 Free DVD Ripper 2.25_is1 -> Free DVD Ripper Version 2.25 Google Desktop -> Google Desktop Handbrake -> Handbrake 0.9.4 HOMESTUDENTR -> Microsoft Office Home and Student 2007 HP.MediaSmartSlingPlayer_is1 -> HP MediaSmart SlingPlayer InstallShield_{004B0DCB-4C60-465B-8F01-44B0A4111187} -> SlingPlayer InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D} -> HP MediaSmart Webcam InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79} -> CyberLink DVD Suite InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658} -> Power2Go InstallShield_{67626E09-5366-4480-8F1E-93FADF50CA15} -> HP MediaSmart TV InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E} -> HP MediaSmart Music/Photo/Video InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243} -> LabelPrint InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1} -> PowerDirector InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A} -> HP MediaSmart DVD Malwarebytes' Anti-Malware_is1 -> Malwarebytes' Anti-Malware Mozilla Firefox (3.6.3) -> Mozilla Firefox (3.6.3) NSS -> Norton Security Scan Picasa 3 -> Picasa 3 Samsung ML-1740 Series -> Samsung ML-1740 Series ViewpointMediaPlayer -> Viewpoint Media Player VLC media player -> VLC media player 1.0.0 WildTangent hp Master Uninstall -> My HP Games WinLiveSuite_Wave3 -> Windows Live Essentials < Uninstall List [HKEY_USERS\S-1-5-21-1413613182-2839125087-4029887168-1000\] > -> HKEY_USERS\S-1-5-21-1413613182-2839125087-4029887168-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ -> {226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk -> Google Talk (remove only) BitTorrent -> BitTorrent Google Chrome -> Google Chrome Move Media Player -> Move Media Player Sansa Updater -> Sansa Updater < EventViewer Logs - Last 10 Errors > -> Event Information -> Description Application [ Error ] 4/22/2010 9:28:52 AM Computer Name = Stephanie-PC | Source = SideBySide | ID = 16842830 -> Description = Activation context generation failed for "C:\Users\Stephanie\Downloads\esetsmartinstaller_enu(7).exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_1509f8bef40ee4da.manifest. Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0.manifest. Application [ Error ] 4/22/2010 11:04:41 AM Computer Name = Stephanie-PC | Source = Bonjour Service | ID = 100 -> Description = Task Scheduling Error: Continuously busy for more than a second Application [ Error ] 4/22/2010 11:04:41 AM Computer Name = Stephanie-PC | Source = Bonjour Service | ID = 100 -> Description = Task Scheduling Error: m->NextScheduledEvent 5683460 Application [ Error ] 4/22/2010 11:04:41 AM Computer Name = Stephanie-PC | Source = Bonjour Service | ID = 100 -> Description = Task Scheduling Error: m->NextScheduledSPRetry 5683460 Application [ Error ] 4/22/2010 11:04:47 AM Computer Name = Stephanie-PC | Source = Bonjour Service | ID = 100 -> Description = Task Scheduling Error: Continuously busy for more than a second Application [ Error ] 4/22/2010 11:04:48 AM Computer Name = Stephanie-PC | Source = Bonjour Service | ID = 100 -> Description = Task Scheduling Error: m->NextScheduledEvent 5689310 Application [ Error ] 4/22/2010 11:04:48 AM Computer Name = Stephanie-PC | Source = Bonjour Service | ID = 100 -> Description = Task Scheduling Error: m->NextScheduledSPRetry 5689310 Application [ Error ] 4/22/2010 11:04:49 AM Computer Name = Stephanie-PC | Source = Bonjour Service | ID = 100 -> Description = Task Scheduling Error: Continuously busy for more than a second Application [ Error ] 4/22/2010 11:04:50 AM Computer Name = Stephanie-PC | Source = Bonjour Service | ID = 100 -> Description = Task Scheduling Error: m->NextScheduledEvent 5691728 Application [ Error ] 4/22/2010 11:04:50 AM Computer Name = Stephanie-PC | Source = Bonjour Service | ID = 100 -> Description = Task Scheduling Error: m->NextScheduledSPRetry 5691728 Media Center [ Error ] 10/11/2009 9:57:02 PM Computer Name = Stephanie-PC | Source = MCUpdate | ID = 0 -> Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule. System [ Error ] 11/27/2009 2:53:28 AM Computer Name = Stephanie-PC | Source = PlugPlayManager | ID = 12 -> Description = The device 'JMB38X SD Host Controller' (PCI\VEN_197B&DEV_2381&SUBSYS_30F7103C&REV_00\4&37ba8cc&0&02E4) disappeared from the system without first being prepared for removal. System [ Error ] 11/27/2009 2:53:29 AM Computer Name = Stephanie-PC | Source = PlugPlayManager | ID = 12 -> Description = The device 'JMB38X MS Host Controller' (PCI\VEN_197B&DEV_2383&SUBSYS_30F7103C&REV_00\4&37ba8cc&0&03E4) disappeared from the system without first being prepared for removal. System [ Error ] 11/27/2009 2:53:29 AM Computer Name = Stephanie-PC | Source = PlugPlayManager | ID = 12 -> Description = The device 'JMB38X xD Host Controller' (PCI\VEN_197B&DEV_2384&SUBSYS_30F7103C&REV_00\4&37ba8cc&0&04E4) disappeared from the system without first being prepared for removal. System [ Error ] 11/30/2009 3:10:57 AM Computer Name = Stephanie-PC | Source = HTTP | ID = 15016 -> Description = System [ Error ] 11/30/2009 3:12:18 AM Computer Name = Stephanie-PC | Source = Service Control Manager | ID = 7000 -> Description = System [ Error ] 11/30/2009 3:12:18 AM Computer Name = Stephanie-PC | Source = Service Control Manager | ID = 7009 -> Description = System [ Error ] 11/30/2009 3:15:27 AM Computer Name = Stephanie-PC | Source = PlugPlayManager | ID = 12 -> Description = The device 'JMB38X SD/MMC Host Controller' (PCI\VEN_197B&DEV_2382&SUBSYS_30F7103C&REV_00\4&37ba8cc&0&00E4) disappeared from the system without first being prepared for removal. System [ Error ] 11/30/2009 3:15:27 AM Computer Name = Stephanie-PC | Source = PlugPlayManager | ID = 12 -> Description = The device 'JMB38X SD Host Controller' (PCI\VEN_197B&DEV_2381&SUBSYS_30F7103C&REV_00\4&37ba8cc&0&02E4) disappeared from the system without first being prepared for removal. System [ Error ] 11/30/2009 3:15:27 AM Computer Name = Stephanie-PC | Source = PlugPlayManager | ID = 12 -> Description = The device 'JMB38X MS Host Controller' (PCI\VEN_197B&DEV_2383&SUBSYS_30F7103C&REV_00\4&37ba8cc&0&03E4) disappeared from the system without first being prepared for removal. System [ Error ] 11/30/2009 3:15:27 AM Computer Name = Stephanie-PC | Source = PlugPlayManager | ID = 12 -> Description = The device 'JMB38X xD Host Controller' (PCI\VEN_197B&DEV_2384&SUBSYS_30F7103C&REV_00\4&37ba8cc&0&04E4) disappeared from the system without first being prepared for removal.
I see you have Viewpoint installed... Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.
Please download the newest version of Java from Java.com.
Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable. Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7). Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.
Once old versions are gone, please install the newest version.
Start OTS. Copy/Paste the information in bold below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Kill All Processes] [Unregister Dlls] [Registry - Safe List] < Internet Explorer Settings [HKEY_USERS\S-1-5-21-1413613182-2839125087-4029887168-1000\] > -> YN -> HKEY_USERS\S-1-5-21-1413613182-2839125087-4029887168-1000\: "ProxyServer" -> http=127.0.0.1:5555 < MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 YN -> \{b9d0a090-229b-11df-9500-00235a9e0270} -> YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b9d0a090-229b-11df-9500-00235a9e0270}\shell\AutoRun\command -> YY -> \{b9d0a090-229b-11df-9500-00235a9e0270}\shell\AutoRun\command\\"" -> F:\setup.exe [F:\setup.exe] YN -> \{ff292315-702b-11de-9ad9-00235a9e0270} -> YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff292315-702b-11de-9ad9-00235a9e0270}\shell\AutoRun\command -> YY -> \{ff292315-702b-11de-9ad9-00235a9e0270}\shell\AutoRun\command\\"" -> G:\slacker.synclauncher.exe [G:\slacker.synclauncher.exe] YN -> \{ff292315-702b-11de-9ad9-00235a9e0270} -> YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ff292315-702b-11de-9ad9-00235a9e0270}\shell\slacker\command -> YY -> \{ff292315-702b-11de-9ad9-00235a9e0270}\shell\slacker\command\\"" -> G:\slacker.synclauncher.exe [G:\slacker.synclauncher.exe] [Files/Folders - Created Within 90 Days] NY -> lcykohynw -> C:\Users\Stephanie\AppData\Local\lcykohynw NY -> {93E26451-CD9A-43A5-A2FA-C42392EA4001} -> C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001} [Purity] [Empty Temp Folders] [EmptyFlash] [Reboot]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE
You now have a clean restore point, to get rid of the bad ones:
Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done
To remove all of the tools we used and the files and folders they created, please do the following: Please download OTC.exe by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Results of screen317's Security Check version 0.99.3 Windows Vista (UAC is enabled) Out of date service pack!! Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java(TM) 6 Update 18 Java(TM) 6 Update 7 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 9.3.2 Chinese Traditional Fonts Support For Adobe Reader 9 ```````````````````````````````` Process Check: objlist.exe by Laurent Norton ccSvcHst.exe ```````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning)
Please consider updating to Windows Vista Service Packs 1 & 2. Windows Vista Service Packs 1 & 2 contain all the updates released since the first release plus support for new types of hardware and emerging hardware standards. It is now available via Windows Update or as a standalone installation here.
=========================
Please download the newest version of Java from Java.com.
Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable. Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7). Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.
Once old versions are gone, please install the newest version.
=====================================
Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.
Software recommendations
Antivirus/Antispyware
Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
AVG Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
Firewall
Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.
Resident Protection help A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.
Rogue programs help There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm
Securing your computer
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
Please consider using an alternate browser Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.